diff --git a/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch b/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch new file mode 100644 index 0000000..fa04b69 --- /dev/null +++ b/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch @@ -0,0 +1,39 @@ +From 980d90c9232fe5325d1a4deddd42c597cf9e1a54 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Thu, 10 Jun 2021 14:00:00 +0000 +Subject: [PATCH] pam_unix: do not use crypt_checksalt when checking for + password expiration + +According to Zack Weinberg, the intended meaning of +CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing +method", it is not supposed to mean "force a password change on next +login for any user with an existing stored hash using this method". + +This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5. + +* modules/pam_unix/passverify.c (check_shadow_expiry) +[CRYPT_CHECKSALT_AVAILABLE]: Remove. + +Closes: https://github.com/linux-pam/linux-pam/issues/367 +--- + modules/pam_unix/passverify.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index f6132f80..5a19ed85 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry, + D(("account expired")); + return PAM_ACCT_EXPIRED; + } +-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE +- if (spent->sp_lstchg == 0 || +- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY || +- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) { +-#else + if (spent->sp_lstchg == 0) { +-#endif + D(("need a new password")); + *daysleft = 0; + return PAM_NEW_AUTHTOK_REQD; diff --git a/pam.spec b/pam.spec index 10e85ec..aa57414 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.5.1 -Release: 5%{?dist} +Release: 6%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -27,6 +27,9 @@ Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch1: pam-1.5.0-redhat-modules.patch Patch2: pam-1.5.0-noflex.patch Patch3: pam-1.3.0-unix-nomsg.patch +# https://github.com/linux-pam/linux-pam/pull/368 +Patch4: https://github.com/linux-pam/linux-pam/pull/368.patch#/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch + %global _pamlibdir %{_libdir} %global _moduledir %{_libdir}/security @@ -110,6 +113,7 @@ cp %{SOURCE18} . %patch1 -p1 -b .redhat-modules %patch2 -p1 -b .noflex %patch3 -p1 -b .nomsg +%patch4 -p1 -b .no_crypt_checksalt_for_pw_expiration autoreconf -i @@ -377,6 +381,10 @@ test "$FILE" != %{_sysconfdir}/authselect/fingerprint-auth && \ exit 0 %changelog +* Thu Jun 10 2021 Björn Esser - 1.5.1-6 +- Add a patch to not use crypt_checksalt for password expiration + Resolves: #1965345, #1967150 + * Fri Apr 16 2021 Benjamin Berg - 1.5.1-5 - Add script to avoid fingerprint-auth issues for long term Fedora users Resolves: #1942443